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(54) COMMUNICATION DEVICE INCLUDING VPN ACCOMODATION FUNCTION 



(57) Fully meshed virtual paths obtained with small- 
er number of settings, thus facilitating expansion of VPN 
service. A communication device in a virtual private net- 
work (VPN) having a VPN accommodation function for 
connecting an intra-organization network or inter-organ- 
ization network through the Internet includes; 

a first means for generating a VPN address, a for- 
mat of which includes both a VPN number for uniquely 
identifying a VPN In a certain scope and a closed ad- 
dress used in an organization or among organizations, 
either converting a packet header into a header having 
the above-mentioned VPN address or adding the 
above-mentioned VPN address to a packet header for 
transmission: and 

a second means lor on receiving the packet hav- 
ing a header of the VPN address fonmat, either convert- 
ing the received packet into a packet fonmat equivalent 
to an original packet format or removing a header having 
VPN address format. 
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Description 

FIELD OF THE INVENTION 

[0001 ] The present invention relates to a communica- 5 
tion device having a VPN (virtual private networic) ac- 
commodation function for use in the Internet. 

BACKGROUND OF THE INVEhfTiON 

10 

[0002] The Internet is a networic enabling worldwide 
interconnection among users, the number of which is 
proliferating. In recent years, a variety of techniques 
have been developed actively to implement a VPN using 
the Internet. 

[0003] The VPN, or virtual private networl<, Is a serv- 
ice connecting Intranets through the Internet. An exanrv 
ple of a network configuration providing VPN is shown 
in FIG. 1. In this FIG. 1, a variety of network organiza- 
tions including A - C are connected through routers 20 20 
- 25 to a network 1 which is managed by a service pro- 
vider. These routers are refen-ed to as VPN edge rout- 
ers. 

[0004] Network 1 provided by the service provider 
generally interconnects with other networks provided by 25 
other service providers. As a VPN, a network for an or- 
ganization A, as an example, is exclusively intercon- 
nected within this organization A only, separated from 
organizations B and C, through network 1 by the sen/ice 
provider. In other words , only each network inside or- 
ganization A. B or C is logically interconnected. 
[0005] Here, either a global address or a private ad* 
dress is used In an intranet whereas a global address is 
nomiaily used In the Internet. The private address is an 
address to be applied in a network whtoh is closed in the 
scope of an organization, and therefore an identical ad- 
dress may possibly be used in different organizations. 
[0006] Accordingly. In an device accommodating 
VPN, it becomes necessary to provide the packet rout- 
ing function for both Internet and intranet. Nomrially. in 
the direction from intranet to Internet, any packet for 
communication in an intranet Is converted to a packet 
which can be processed in the Internet. In the direction 
from Internet to Intranet, the packet format is converted 
in an opposite way to the above. 
[0007] In the prior arts for perfonming such process- 
ing, as a first art, there is a method of either combining 
an IPv4 (Internet Protocol, version 4) header, thefonnat 
of which includes a source address 26 and a destination 
address 27 shown In FIG. 2, with another IPv4 header, 
or combining with an IPv6 (Internet Protocol, version 6) 
header, the fomnat of which includes a source address 
28 and a destination address 29 shown in FIG. 3. Thus 
the headers are encapsulated as shown in FIGS. 4Aand 
4B, respectively (corresponding to the Internet standard 
recommendation document. RFC 1853). Further, as a 
second prior art. there is a method of employing an 
MPLS (Multiprotocol Label Switching) shim header 
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shown in FIG. 5 to encapsulate both an IPv4 header and 
a shim header, as shown In FIG. 4C. 
[0008] Both of the aforementioned prior arts employ 
a method of establishing a packet path on the boundary 
between the Intemet and the intranet (which is refen-ed 
to as tunnel). 

[0009] More specifically, the encapsulation technique 
shown In FIG. 4 is realized by setting an IP address as- 
signed at the boundary Into an IP header for encapsu- 
lation. 

[0010] Meanwhile, according to the encapsulation 
method by a shim header shown in FIG. 4C using a 
MPLS header shown In FIG. 5, the tunneling between 
both sides of the boundary is enabled by setting a 
unique value in a label field (Label) of the shim header 
on a link-by-link basis, and setting a virtual path by con- 
verting this value Included in the label field In the devk^e 
connecting the links. 

[001 1 ] However, according to the aforementioned pri- 
or arts, the number of settings In the device incorporat- 
ing VPN becomes the number of tunnels x 2 (i.e. both 
end points of the tunnels)'. Therefore, there Is a problem 
that a substantially large number of settings become 
necessary as the number of sites increases. 
[001 2] The number of the tunnels among N sites is {N 
- 1 ) X 2 in the case of a star connection network in which 
the number of tunnels is minimized. The number be- 
comes N X (N - 1) In case of a full mesh connection. If 
one site is added, it is necessary to add to two (2) set- 
tings In the case of star connection, or N settings in case 
of the full mesh connection. 

[001 3] In case of the star connection, the perf omnance 
of a root node may cause a bottleneck. In addition, be- 
cause a communication between nodes other than root 
has to be transmitted through the root, an identical pack- 
et has to be transmitted twice in the intemet. This raises 
a problem of additional bandwidth consumption, so use 
of full mesh connection is desirable. 

SUMMARY OF THE INVENTION 

[0014] Accordingly, Itis an objectof the present inven- 
tion to provide a VPN service with fully meshed virtual 
paths obtained with snnaller number of settings, thus fa- 
cilitating expansion of VPN service. 
[0015] This object Is attained by providing a commu- 
ntoatlon device in a virtual private network (VPN) having 
a VPN accommodation function for connecting an Intra- 
organization network or Inter-organizatlon network in 
accordance with the present invention through the in- 
ternet. As a first embodiment of the communication de- 
vice according to the present Invention, the communi- 
cation device includes; 

a first means for generating a VPN address, a for- 
mat of which includes both a VPN number for uniquely 
identifying a VPN in a certain scope and a closed ad- 
dress used in an organization or among organizations, 
either converting a packet header Into a header having 
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the above-mentioned VPN address or adding the 
above-mentioned VPN address to a pacltet header for 
transmission; and 

a second means for on receiving the pacl<et hav- 
ing a header of the VPN address fonnat, either convert- 5 
Ing the received paclcet into a pacl<et fonnat equivalent 
to an original packet fomiat or removing a header having 
VPN address format. 

[0016] Further, as a second preferred embodiment 
according to the present invention, in the aforemen- io 
tioned first embodiment, the communication device fur- 
ther includes a processing means for on receiving a 
packet having the VPN address fomfiat, extracting a 
VPN number from the VPN address, comparing to a re- 
tained VPN number and discarding the packet when the 
comparison results in inconsistency. 
[0017] Still funher, as a third preferred embodiment. 
In the aforementioned first or second embodiment, a 
protocol used in an organization or among organizations 
is IPv4 (Internet Protocol, version 4), a packet having a ^ 
VPN address format confomis to IPv6 (Intemet Proto- 
col, version 6), and an iPv6 header is either added to 
the IPv4 header or substituted for IPv4 header by the 
above-mentioned first means. 

[001 8] As a fourth preferred embodiment, in the afore- 25 
mentioned third embodiment, the VPN number is includ- 
ed in an Ni-A-ID (Next-Level Aggregation Identifier) field 
of the IPv6 aggregatable address format, and an IPv4 
address is stored in an SLA-IO (Site-Level Aggregation 
Identifier) field and an Interface Identifier field. 30 
[001 9] Further, as a fifth prefeaed embodiment, in the 
aforementioned first or second embodiment, a protocol 
used in an organization or among organizations is IPv4, 
a packet having a VPN address format conforms to 
IPv6, and an IPv6 header is added to an IPv4 packet or 35 
deleted. 

[0020] Still further, as a sixth preferred embodiment, 
in the aforementioned first or second embodiment, a 
protocol used in an organization or among organizations 
Is IPv6, a packet having VPN address fomiat confomns ^ 
to IPv6, and a VPN address is generated using a VPN 
number and an SLA-ID (Site-Level Aggregation Identi- 
fier) field and an Interface Identifier field of the site-local 
address fomiat or an aggregatable global address in- 
cluded in an address of an IP header used in an organ- ^5 
izatlon or among organizations, to perform address con- 
version. 

[0021] Still further as a seventh preferred embodi- 
ment, in the aforementioned first or second embodi- 
ment, VPN address in a VPN network for connecting an so 
intra-organization network or an Inter-organization net- 
work through the Internet is constituted of a Scope field 
indicating whether a VPN-ID is either a VPN whteh is 
closed inside an ISP or a VPN which is connected 
through a plurality of ISP, and a VPN number by which 55 
a VPN is uniquely identifiable in the Scope concerned. 
[0022] Still further, as an eighth prefen-ed embodi- 
ment, in either of the aforementioned embodiments, a 
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VPN-ID is constituted of an IPv4 address as the VPN 
address. 

[0023] Further scopes and features of the present in- 
vention will become more apparent by the following de- 
scription of the embodiments with the accompanied 
drawings. 

BRIEF DESCRIPTION OF THE DRAWINGS 
[0024] 

FIG. 1 shows an example of network configuration 
diagram constituting a virtual private network 
(VPN). 

FIG. 2 shows an explanation drawing of an IPv4 
header 

FIG. 3 shows an explanation drawing of an IPv6 
header. 

FIG. 4 shows a drawing illustrating header encap- 
sulation. 

FIG. 5 shows a diagram illustrating an MPLS shim 
header. 

FIG. 6 shows a drawing illustratingthe configuration 
concept of the present invention. 
FIG. 7 shows a diagram illustrating the definition of 
VPN address. 

FIG. 8 shows a typical embodiment of the present 
invention. 

FIG. 9 shows an example of configuration of a VPN 
accommodation function portion shown In FIG. 6, 
illustrating an example of converting an IPv4 header 
into an \Pv6 header. 

FIG. 10 shows another exemplary configuration of 
the VPN accommodation function portion shown in 
FIG. 8 in the example of converting an IPv4 header 
into an lPv8 header. 

FIG. 11 shows a diagram iliustrating an IPy6 ad- 
dress generated in the exemplary configurations 
shown in FIGS. 8, 9. 

FIG. 12 shows an example of configuration of the 
VPN accommodation function portion shown in FIG. 
8. iliustrating an example of encapsulating an IPv4 
packet with an*IPv6 header. 
FIG. 13 shows another example of configuration of 
the VPN accommodation function portion shown in 
FIG. Sin an example of encapsulating an IPv4 pack- 
et with an iPv6 header. 

FIG. 14 shows an example of configuration of a 
VPN accommodation function portion shown in FIG. 
8, illustrating an example of employing IPv6 In the 
intranet. 

FIG. 15 shows another example of configuration of 
the VPN accommodation function portion shown in 
FIG. 8 in an example of employing IPv6 in the in- 
tranet. 

FIG . 1 6 shows a diagram illustrating a VPN address 
con-espondingtothe configurations shown in FIGS. 
14, 15. 
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FIG. 1 7 shows a diagram illustrating an address 
used in a site-local address fonnat. 
FIG. 1 8 shows an example of an aggregatable glo- 
bal address. 

FIG. 1 9 shows a diagram illustrating an example of 
a VPN address having a scope as an application 
example of the present invention. 
FiG. 20 shows a diagram illustrating an example of 
a VPN address employing an IPv4 global address, 
as an application example of the present invention. 

DETAILED DESCRIPTION OF THE PREFERRED 
EMBODIMENTS 

[0025] The prefen-ed embodiment of the present in- 
vention is described hereinafter referring to the charts 
and drawings, wherein like numerals or symbols refer 
to like parts. It is to be noted that these charts and draw- 
ings illustrating the embodiments are attached for ex- 
plaining the present invention. The scope of the protec- 
tion in the present invention is not to be limited to these 
Illustrations. 

[0026] FIG. 6 is a drawing illustrating the conflguratlon 
concept of the present invention. In FIG. 6, a VPN ac- 
commodation function portion 32 according to the 
present invention is provided between an Internet router 
function portion 30 and a VPN router function portion 31 . 
[0027] This VPN accommodation function portion 32 
has a function of either converting a header of a packet 
for transmission into a header having a VPN address 
fonnat, or encapsulating by Including a header of the 
VPN address fonnat. VPN accommodation function por- 
tion 32 also has a function of converting a packet to an 
identk:al format of an original packet or deleting a head- 
er having the VPN address format on receiving a packet 
having the VPN address format. 
[0028] In the description of the present invention, a 
VPN address format shown in FIG. 7 is defined. A head- 
er confomnlng to the address format is generated by 
adding an ID for Identifying a VPN. i.e. a VPN number 
34 to an IP address 33 for use In an intranet. 
[0029] VPN number34 is a number uniquely assigned 
in a certain region. This region may be the whole region 
of the Internet or a region of an Intemet sen^ice provider 
(ISP). The address In the stmcture according to the 
present invention Is distinguished from an address of 
other type by an FP {Format PreTix) 35. 
[0030] Accorcling to the present invention, when conv 
pared to the case of a full mesh network producing better 
efficiency, the number of settings required for perfomv 
ing VPN can be reduced to N In contrast to N x (N - 1) 
in the prior art. For the reference, the number required 
for a star connection in the prior art is (N - 1 ) x 2. Namely, 
according to the present invention, a full mesh network 
can be obtained with the number of settings smaller than 
in the case of star connection in the prior art. 
[0031 ] Also, In the case of adding a site in a full mesh 
network, according to the present Invention, only one 



setting Is need, in contrast to N settings required in the 
prior art. 

[0032] In regard to processing for perfonning nomnal 
routing in the Internet, path establishment on a llnk-by- 

5 link basis is necessary in the method employing MPLS 
shim header. In contrast, according to the present in- 
vention, it is only necessary for route switching to use 
an existing protocol like RIP (Routing Information Pro- 
tocol) widely in use having abundant operational results, 

10 as well as OSPF (Open Shortest Path First), IS-IS (In- 
termediate System - Intemiediate System) or BGP (Bor- 
der gateway Protocol), which are modified so as to con- 
form to the Internet protocol IPv6. 
[0033] Therefore, such a protocol as employed in 

15 MPLS which requires to set label value is not needed. 
Here, by combining the technique of encapsulating an 
IPv6 packet with an IPv4 header, It becomes not neces- 
sary that all network devtee of service provider conform 
to IPv6. 

20 [0034] Now, a typical embodiment of the present in- 
vention is described hereafter referring to the example 
shown in FIG. 8, in which an IPv4 address (either global 
address or private address) is used in the intranet, and 
an IPv6 address is used in the Internet. . 

25 [0035] In the example shown In this FIG, 8, a router 
function portion (on Intemet side) 30. a router function 
portion (on VPN side) 31 and a VPN accommodation 
function portion 32 are provided as a VPN edge router 
20. A router 300 is a router function portion for connect- 

30 Ing between VPN edge routers 20. 

[0036] VPN router function portion 31 has a routing 
table 501 . while router function portion 30 and router 300 
have routing tables 502 and 503, respectively. A desti- 
nation address and a source address are described in 

35 an I Pv4 packet header referring to these routing tables. 
[0037] FIG. 9 is a configuration block diagram of VPN 
accommodation function portion 32 according to the 
present invention. 

[0038] When packet communication is carried out 
40 from one site in a VPN to another site in the VPN, an 
IPv4 packet for use in the originating site is transmitted 
to VPN accommodation function portion 32 in VPN edge 
router 20. 

[0039] In VPN accommodation function portion 32, IP 
45 addresses (both source address and destination ad- 
dress) Included In the IPv4 packet are extracted In an 
IPv4 address extraction portion 320. 
[0040] using a VPN-ID (number) being set in a 
VPN-ID retention portion 321 In advance for identifying 
50 the VPN of interest, a VPN address In the form of IPv6 
for the Intemet is generated by combining a VPN-ID 40 
with an IPv4 address 41 in a VPN address generation 
portion 322, as shown In FIG. 11 . 
[0041 ] The IPv6 VPN address thus generated is used 
55 for an I Pv6 header address to be added in an I Pv6 head- 
er addition portion 324 after an IPv4 header is deleted 
In an IPv4 header deletion portion 323, as shown in FIG. 
9. Thus the IPv4 header is converted Into an IPv6 head- 
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er. 

[0042] The IPv6 packet thus converted is transferred 
to VPN accommodation function portion 32 In VPN edge 
router 20 to which the destination site is connected 
through the Internet 1 . This VPN accommodation tunc- s 
tton portion 32 is explained also referring to FIG. 9. In 
FIG. 9, an IPv6 packet is input to an IPv6 packet address 
extraction portion 325. 

[0043] The IPv6 address extracted in IPv6 address 
extraction portion 325 is input to VPN-ID/IPv4 address io 
separation portion 326 to separate the IPv4 address. 
The separated IPv4 address is then used as an address 
in the IPv4 header to be added in IPv4 header addition 
portion 328 to a packet of which iPv6 header is deleted 
in an IPv6 header deletion portion 327. Thus the packet is 
concerned is returned to an iPv4 packet. 
[0044] FIG. 6B Shows an aspect of headerconverslon 
between Intranet and the Internet corresponding to the 
aforementioned description referring to FIG. 9. 
[0045] In the above description, it may also be possi- so 
bte to check whether the VPN-ID of the packet input to 
VPN accommodation function portlon.32 coincides with 
a predetermined VPN-ID. In such a case, VPN accom- 
modation function portion 32 is configured as shown in 
FIG. 1 0. Namely, a comparison circuit 329 is additionally 
provided compared to the configuration shown In FIG. 9. 
[0046] Using this comparison circuit 329, a predeter- 
mined VPN number con-esponding to the VPN of inter- 
est retained In VPN-ID retention portion 321 Is conrv 
pared to the VPN-ID separated in VPN-ID/IPv4 address 30 
separation portion 326. 

[0047] As the result of this comparison, if the VPN 
numbers are different, the packet is discarded in an IPv4 
header addition portion because the packet has no re- 
lation with the VPN of interest. This enables to prevent 35 
any packet from flowing In or flowing out from/to a dif- 
ferent VPN, thus enabling to improve security. 
[0048] Further, as a result of VPN accommodation 
function portion 32 outputting a route including up to an 
IPv4 prefix shown in FIG. 11 , routing by IPv6 is canled 
out according to routing table 502 shown in FIG. 6. 
[0049] In the above description, a case of converting 
an IPv4 header into an IPv6 header is shown. However, 
in place of this conversion processing, it is also possible 
to employ the aforementioned encapsulation method. 
[0050] In such a case, the configurations of VPN ac- 
commodation function portion 32 shown in FIGS. 9, 10 
are replaced by the configurations shown in FIGS. 12, 
13, respectively. In the configurations shown in FIGS. 
12, 13, IPv4headerdeIetlonportion 323 and IPv4 head- so 
er addition portion 328 become unnecessary. 
[0051] Namely, an IPv6 VPN address generated in 
VPN address generation portion 322 is added to an IPv4 
packet in IPv6 header addition portion 324 to encapsu- 
late. Therefore, IPv4 header deletion portk>n 323 is not ss 
required In FIGS. 12, 13. 

[0052] Also, in FIGS. 12, 13, the IPv6 address includ- 
ed in a signal input from the Internet is extracted in IPv6 



address extraction portion 325, while the IPv4 address 
remains unchanged. Therefore, IPv4 address addition 
portion 328 Is not required also. 
[0053] This situation is shown in FIG. 6C, taking the 
headerconverslon shown in FIG. 4A as an example. 
[0054] The foregoing description is based on the in- 
tranet employing IPv4. When IPv6 is employed in the 
intranet, a similar operation can be achieved by handling 
as an IPv4 address a subnet ID, or a data under a site 
prefix, included In a site-local address (i.e. a local ad- 
dress not connected to the Internet). 
[0055] FIGS. 14, 15 show examples of configuration 
block diagram of VPN accommodation function portion 
32 when IPv6 is used In the Intranet, which respectively 
con-espond to FIGS. 9, 10. As shown in FIGS. 14, 15, 
IPv6 address extraction portions 330, 332 and address 
substitution portions 331 , 333 are provided for handling 
IPv6 addresses. 

[0056] FIG. 16 shows an explanation drawing of a 
VPN address corresponding to the configurations 
shown In FIGS. 14, 15. In these FIGS. 14, 15, a VPN 
address is generated by the address conversion using 
a VPN-ID 40 shown in this FIG. 1 6, a subnet ID/SLA 42 
In the site-local address fomnat or the aggregatable glo- 
bal address fonmat and an Interface ID field 43 in an IP 
header address used in an organization or among or- 
ganizations. 

[0057] This address conversion Is performed in ad- 
dress substitution portion 331 shown in FIGS. 14, 15. 
[0058] Here, an exemplary address In the site-local 
address f onnat is shown in FIG. 1 7. In this FIG. 1 7, field 
I denotes a global address, and field II denotes an ad- 
dress in an organization having a subnet ID and an In- 
terface ID. 

[0059] FIG. 1 8 shows an example of an aggregatable 
global address, in which field 1 includes global address, 
and field II includes Site-Level Aggregation ID and In- 
terface ID. 

[0060] Further, as an application of the present inven- 
tion, it Is possible to use VPN address shown in FIG. 19. 
Here. FIG. 19A shows a case of employing IPv4 In the 
intranet, while FIG. 1 98 shows a case of employing I F>v6 
in the intranet. 

[0061] In FIG. 19. there Is provided a scope field 44 
which stores a flag indicating whether or not VPN-ID 45 
is a VPN closed in a service provider. In the case of 
closed VPN in the service provider, it becomes possible 
for the service provider to assign VPN-ID 45. 
[0062] As another application of the present inven- 
tion , a VPN address shown in FIG. 20 may be used. FIG . 
20A shows the case of IPv4 employed in the intranet, 
while FIG. 20B shows the case oT tPv6 employed in the 
intranet. 

[0063] FIG. 20 shows an example that using an IPv4 
global address as a VPN-ID inevitably results in obtain- 
ing a unique VPN-ID 45. For example, using an IPv4 
global address assigned to an organization produces a 
unique address. At the same time, this makes it unnec- 
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essary to manage for maintaining VPN-ID 45 uniquely. 
INDUSTIAL APPLICABIUPT 

[0064] As having been described, according to the 
present invention, a VPN service can be achieved with 
a remarkably reduced number of settings compared to 
other methods. This brings about less possibility of set- 
ting errors or operational mistal<e and therefore an op- 
erator may provide the service safely. 
[0065] Because of the reduced number of settings 
against end user demands, the service may be provided 
In a short preparation period. In addition, according to 
the present invention, a simple functional addition in an 
edge router is only required. For routers on users' side 
and routers not located on user boundary, routers for 
general use may be used without need of modification, 
thus facilitating installation. 

[0066] Further, when considering multi-vender con- 
nection using routers of multi-vender products, the 
method requires only a unlcast routing protocol of gen- 
eral use having sufficient actual operation results, such 
as RIP, OSPF, IS-IS or BGP. Any peculiar protocol such 
as MPLS label distribution protocol is not necessary. 
Therefore, multi-vender connection may be achieved 
easily. 

[0067] Moreover, the service may be introduced even 
when addresses assigned in an organization is over- 
lapped. 

[0068] To conclude, the present invention brings 
about a large effect, greatly contributing for the expan- 
sion of VPN services on the Internet. 
[0069] The foregoing description of the embodiments 
is not intended to limit the invention to the particular de- 
tails of the examples Illustrated. Any suitable modifica- 
tion and equivalents may be resorted to the scope of the 
invention. All features and advantages of the Invention 
which fall within the scope of the Invention are covered 
by the appended claims. 



Ctalms 

1. A communication device having a virtual private 
network (VPN) accommodation function In a VPN 
network for connecting an Intra-organlzatlon net- 
work or an Inter-organlzation network through the 
Internet, said communication device comprising: 

a first means for generating a VPN address, a 
format of which includes both a VPN number 
uniquely identifying a VPN in a certain scope 
and a closed address used in an organization 
or among organizations , and either converting 
a packet header to a header having said VPN 
address, or adding said VPN address to a pack- 
et header for transmission; and 
a second means for on receiving a packet hav- 



ing a header of said VPN address fonmat, either 
converting said received packet into a packet 
fomiat equivalent to an original packet fomiat 
or removing a header having a VPN address 
5 format. 

2. The communication device according to claim 1 fur- 
ther comprising: 

10 a processing means for on receiving a packet 

liaving said VPN address fonnat, extracting a 
VPN number from said VPN address, compar- 
ing to a retained VPN number, and discarding 
said packet when said retained VPN number is 

IS different from said extracted VPN number. 

3. The communication device according to either 
claim 1 or claim 2, wherein a protocol used In an 
organization or among organizations is IPv4 (Inter- 

20 net Protocol, version 4), a packet having a VPN ad- 
dress fomiat conforms to IPv6 (Intemet Protocol, 
version 6), and an IPv6 header is either added to 
said IPv4 header or substituted for IPv4 header by 
said first means. 

25 

4. The communication device according to claim 3. 
wherein an NUV-ID (Next-Level Aggregation Iden- 
tifier) field in the IPv6 aggregatabte address format 
is used for said VPN number, and an IPv4 address 

30 is stored in an SLA-ID (Site-Level Aggregatton Iden- 
tifier) field and an Interface ID (Interface Identifier) 
field. 

5. The communication device according to either 
35 claim 1 or claim 2, wherein a protocol used in an 

organization or among organizations is IPv4, a 
packet having a VPN address fomnat conforms to 
IPv6, and an (Pv6 header is either added to an IPv4 
packet or deleted. 

40 

6. The conrvnunication device according to either 
claim 1 or claim 2, wherein a protocol used in an 
organization or among organlzattons is IPv6, a 
packet having a VPN address fonnat conforms to 

45 I Pv6 , and a VPN address Is generated usi ng a V PN 
number and an SLA-ID (Site-Level Aggregation 
Identifier) field and an Interface Identifier field of the 
site-local address fonnat or an aggregatable global 
address included in an address of an IP header 

50 used in an organization or among organizations, to 
perform address conversion. 

7. The communication device according to either 
claim 1 or daim 2, wherein a VPN address In a VPN 

55 network for connecting an intra-organtzation net- 
wori< or an inter-organization network through the 
internet is constituted of a Scope field indicating 
whether a VPN-ID is either a VPN which is closed 
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inside an Internet service provider (iSP) or a VPN 
which is connected through a plurality of ISP, and a 
VPN nunnber by which a VPN is uniquely identifiable 
in said Scope. 

The communication device according. to either 
claim 1 to claim 7, wherein a VPN-ID is constituted 
of an IPv4 address as said VPN address. 
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